Re: [c-nsp] Port-channel between Cisco 4948 and ASR 9k going err-disable
On 12/10/16 18:06, David Wilkinson wrote: > Should split horizon stop the loops when connecting downstream switches > in a resilient configuration? It can't when you've the ability to loop a broadcast frame around via devices that aren't party to the split horizon forwarding. I'm not certain this is really how VPLS was supposed to be used, in all honesty. Your 4948s at each site /should not/ be able to broadcast between each other; they ought to both go to a single PE. Anything between them then relies on the PEs (and split horizon forwarding) for loop avoidance. Assuming that you can't do that for some reason, then perhaps just removing the LAG/STP misconfiguration protection (and sticking with PVST) will solve your current woes. I do, however, wonder if MST-AG might be safer for you in the long run: https://supportforums.cisco.com/document/61401/asr9000xr-using-mst-ag-mst-access-gateway-mst-and-vpls Mainly because the PEs would then know what's going on. It might provide faster convergence across the VFI, too. To add some further resilience, you could look at multi-homed VPLS (or EVPN) which would involve MC-LAG from both local PEs towards each 4948. You'd still use the same number of 10G links as you are now. Less, if the 4948s aren't interconnected. In general though, this is a lot of work that could be unpicked very easily if just one of your customers creates a loop within their own network, with effects very similar to those that you've experienced running this topology without PVST. :) -- Tom ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Port-channel between Cisco 4948 and ASR 9k going err-disable
On 12/10/2016 00:12, Tom Hill wrote: I'm assuming you know what that device is that's claiming the root bridge? That's probably a good clue. The "new" root bridge mac is device which has always been the root for this VLAN, not of the other devices between these and the root logged a change. Assuming PVST BPDUs are leaking across the VPLS instance, perhaps this is (as Dragan alludes to) triggering the EtherChannel/STP misconfiguration detection. There's a good description here: http://www.cisco.com/c/en/us/support/docs/lan-switching/etherchannel/20625-127.html "Both sent and received BPDUs are examined by the detection mechanism. An EtherChannel is considered inconsistent if the channel detects greater than 75 BPDUs from different MAC addresses in more than 30 seconds. However, if 5 BPDUs are seen consecutively from the same MAC address, the detection counters are reset. These timers/counters can change in future software releases." This might be it, It will be seeing BPDUs from different MAC addresses as there are multiple STP speaking switches connected the VPLS instances. With the split horizon forwarding inherent to VPLS, do you need PVST (or STP in general) to run across these links? Without PVST running I end up with looping traffic, The traffic leaves the VPLS on ASR 1, goes to the 4948 devices, then comes back into the VPLS on ASR 2, which then gets forwarded back to ASR 1 and out to 4948. Running PVST over the VPLS allowed the 4948 to put one of port-channels up to the an ASR into blocking and stopping the loop. Take the following as an example, customer has a layer 2 service between sites. Should one of the ASRs or one links to the ASR fails traffic should flow via one of the other links. The customer's VLAN from the 4948 goes in to a VPLS on the ASRs. Customer | | 4948 1 4948 2 | | | | ASR 1 -- ASR 2 | | | | 4948 3 4948 4 | | Customer If the BPDUs are not sent over the VPLS instance then it loops. Should split horizon stop the loops when connecting downstream switches in a resilient configuration? ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Cisco Security Advisory: Cisco Meeting Server Client Authentication Bypass Vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Cisco Meeting Server Client Authentication Bypass Vulnerability Advisory ID: cisco-sa-20161012-msc Revision 1.0 For Public Release 2016 October 12 16:00 UTC (GMT) Last Updated 2016 October 12 16:00 UTC (GMT) +- Summary === A vulnerability in the Extensible Messaging and Presence Protocol (XMPP) service of the Cisco Meeting Server (CMS) could allow an unauthenticated, remote attacker to masquerade as a legitimate user. This vulnerability is due to the XMPP service incorrectly processing a deprecated authentication scheme. A successful exploit could allow an attacker to access the system as another user. Cisco has released software updates that address this vulnerability. Workarounds that address this vulnerability in some environments are available. This advisory is available at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20161012-msc -BEGIN PGP SIGNATURE- iQIVAwUBV/5T1K89gD3EAJB5AQJXixAAya7sQ4U4yX6jUyZlGvudqvto/qHd4gj5 1KCqLAs6zo1xQ2FckY5ZcSRCmih3ePR3gn7MMa3hvyaPRrBqqIsStRcsbxgWKK4o b3z82O3Ff/texUaVCGcPjOlW3Dyji0YNblq5WaNqoNyTDxHRsoF0q9ZfRCPQ7px7 ixH7sjlSnR7M5y8Xvx0ZHPrgD3dh0UFdBsywM8wWKAwMRMgnOK3R8TlbmvRNwEQu JOjdiIjgiZ0f0mF4aqUNwSzkBbSBEZJ9PbHDWBfxcFnUu06Bja+wRIqIP+iaUFUB RFZukZ19hPjbuIb3qeKOjpbvOBWdt6w+LGmaVLAvQGooFg3at/LhCfPjjKkPZxfy E2kD2YjkI1iKbVU79qGmZZXydUp36Ec3uLQVKZJV0vYyg1Frrgh1NXBnQjjCJq1+ +yA3PB2REapoVF+GJ8S5Rce/xYuIh1BG5WMHDGtGKig01e34nvVKHaDVxUmvF/bu Ldd3WyjJqd0hueeVeAMnogph4Yk9Q0g4WugNKex8gmiYnA6RVe/j6W8MUWLi2vb6 4wep9961nqk16hOeNhNGO9CU5NXNj2hPEMBwgcsA7RJDMLEQpuEmBpuBzxl17vya vEdt/RQzKTho23POnsSpyucQ5TbXsiqtHxzN2lke9UH0zNKOLJXo+y0b/EElWSAC AnmG++lEvcw= =Y8pC -END PGP SIGNATURE- ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] VPN IPsec and NAT
Post relevant sanitized phase2 configurations. Mainly your ACLs. On Oct 12, 2016 04:37, "Tseveendorj Ochirlantuu"wrote: > Hello > > I'm new to site to site IPsec VPN and also ASA 5505 firewall. > > My site to site IPsec VPN tunnel established between SiteA to SiteB. And > can ping IP behind firewall. Now I need to > > Site A is VPN one end > Site B is VPN other end > Site C is VPN other end > IP1 is located outside of Site B. > > > SiteA ---> SiteB > > SiteC > Site to Site VPN Site to Site > VPN > > Which means SiteB has two IPsec VPN config. > > > Now I want to if Site A access to IP1 then it goes over VPN and Site B's > firewall should NAT Site A's LAN IP to It's outside interface address (PAT > overload) and reach to IP1. > > > I'm trying to this but no success. I have log in firewall. I just sanitize > IP address to above name > > %ASA-4-402116: IPSEC: Received an ESP packet (SPI= 0x05673803, sequence > number= 0x75) from "SiteA Public IP" (user= "SiteA Public IP") to "SiteB > Public IP". The decapsulated inner packet doesn't match the negotiated > policy in the SA. The packet specifies its destination as "IP1", its > source as "SiteA Local IP", and its protocol as 6. The SA specifies its > local proxy as "SiteC Local Subnet"/0/0 and its remote_proxy as "SiteA > Local subnet" /0/0. > > What is the problem ? Thank you. > ___ > cisco-nsp mailing list cisco-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] 7609 local vlan significance
On 12 October 2016 at 15:38, Nick Cuttingwrote: > I thought the same - which IOS devices have you seen it on - > > I have seen it on XE (ASR/CSR/44xx), but not on a fully licensed Sup2T, so > can't imagine it's on a 7600? I saw it on some 7200s, I was looking to move services to a 7600, so I opened a TAC case because the documentation was a bit scarce, discussed it with TAC (I wanted to clarify behaviour with out CFC cards, DFCs, different line card models etc), they said it should work fine. Lobbed the config on a 7600 in the lab (it took the config) but I never got to test it, an ASR9K went in to the DC so the design changed and that wasn't needed anymore. Initially I wrote the config in GNS3 and it worked (so IOS): https://null.53bits.co.uk/index.php?page=vasi-inter-vpn-routing Cheers, James. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] 7609 local vlan significance
I thought the same - which IOS devices have you seen it on - I have seen it on XE (ASR/CSR/44xx), but not on a fully licensed Sup2T, so can't imagine it's on a 7600? -Original Message- From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of James Bensley Sent: Wednesday, October 12, 2016 4:35 AM To: Cisco Network Service ProvidersSubject: Re: [c-nsp] 7609 local vlan significance On 12 October 2016 at 02:19, Tony wrote: > VASI is only on IOS-XE is it not ? No its on IOS, XE and XR. Cheers, James. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] AAA-3-BADLIST
Hi, > Hello, > > I m getting the following on one of our production routers. > > %AAA-3-BADLIST: invalid list AAA ID 4190791 -Process= "SSH Process" Error Message%AAA-3-BADLIST: invalid list AAA ID %u ExplanationAn AAA client has provided an invalid attribute list to AAA. Recommended ActionCopy the message exactly as it appears on the console or in the system log. Research and attempt to resolve the issue using the tools and utilities provided at http://www.cisco.com/tac. With some messages, these tools and utilities will supply clarifying information. Search for resolved software issues using the Bug Toolkit at http://www.cisco.com/cgi-bin/Support/Bugtool/launch_bugtool.pl. If you still require assistance, open a case with the Technical Assistance Center via the Internet at http://tools.cisco.com/ServiceRequestTool/create, or contact your Cisco technical support representative and provide the representative with the information that you have gathered. Attach the following information to your case in nonzipped, plain-text (.txt) format: the output of the show logging and show tech-support commands and your pertinent troubleshooting logs. you could turn on some debugging on aaa alan ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] AAA-3-BADLIST
Hello, I m getting the following on one of our production routers. %AAA-3-BADLIST: invalid list AAA ID 4190791 -Process= "SSH Process" Regards, Righa ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] VPN IPsec and NAT
Hello I'm new to site to site IPsec VPN and also ASA 5505 firewall. My site to site IPsec VPN tunnel established between SiteA to SiteB. And can ping IP behind firewall. Now I need to Site A is VPN one end Site B is VPN other end Site C is VPN other end IP1 is located outside of Site B. SiteA ---> SiteB > SiteC Site to Site VPN Site to Site VPN Which means SiteB has two IPsec VPN config. Now I want to if Site A access to IP1 then it goes over VPN and Site B's firewall should NAT Site A's LAN IP to It's outside interface address (PAT overload) and reach to IP1. I'm trying to this but no success. I have log in firewall. I just sanitize IP address to above name %ASA-4-402116: IPSEC: Received an ESP packet (SPI= 0x05673803, sequence number= 0x75) from "SiteA Public IP" (user= "SiteA Public IP") to "SiteB Public IP". The decapsulated inner packet doesn't match the negotiated policy in the SA. The packet specifies its destination as "IP1", its source as "SiteA Local IP", and its protocol as 6. The SA specifies its local proxy as "SiteC Local Subnet"/0/0 and its remote_proxy as "SiteA Local subnet" /0/0. What is the problem ? Thank you. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] 7609 local vlan significance
On 12 October 2016 at 02:19, Tonywrote: > VASI is only on IOS-XE is it not ? No its on IOS, XE and XR. Cheers, James. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/